Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
should we worry?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
pathfinder
l33t
l33t


Joined: 19 Jan 2006
Posts: 731
Location: Barcelona, Spain

PostPosted: Fri Feb 22, 2008 4:46 pm    Post subject: should we worry? Reply with quote

Hi guys, this question is probably stupid, but since there has been found a flaw in the kernel, I ve thinking of a lot of things related with the open source software.
And these posts must be isolated and hardware related, but I wanted to mention them:


http://forums.gentoo.org/viewtopic-t-665156-highlight-.html
http://forums.gentoo.org/viewtopic-t-665573-highlight-.html
http://forums.gentoo.org/viewtopic-t-665669-highlight-.html
http://forums.gentoo.org/viewtopic-t-665609-highlight-.html
http://forums.gentoo.org/viewtopic-t-665672-highlight-.html



Now, my question: how many users really have a look at the open code? I mean, how many users would be able to check if there s some hidden or subtile security breach?
Would it be possible to drop in many progs some security flaws, then, sleeping killers, and when open source becomes the reference in terms of OS distribution in the world, would it be then factible to wake up those security flaws and create a HUGE mess?

I know I m paranoid, and it sounds really freak. But what if that kernel mistake were intentiously done? This one and others, ready to operate, at some time or another?

Is there a hard security organism that checks every single line of code? Or is this totally impossible?
How many users never ever looked at a code? How many would be able to find a security flaw?...

Enjoy your WE.
Back to top
View user's profile Send private message
Urban Cowboy
n00b
n00b


Joined: 09 Oct 2007
Posts: 64

PostPosted: Fri Feb 22, 2008 5:34 pm    Post subject: Reply with quote

I don't think so. When flaws are discovered, they are reported and subsequently patched.

But yeah.. http://forums.gentoo.org/viewtopic-t-665573-highlight-.html is particularly f'd up.
_________________
Anything worth doing is worth over-doing. Moderation is for cowards.


Last edited by Urban Cowboy on Fri Feb 22, 2008 5:37 pm; edited 1 time in total
Back to top
View user's profile Send private message
i92guboj
Moderator
Moderator


Joined: 30 Nov 2004
Posts: 10038
Location: Córdoba (Spain)

PostPosted: Fri Feb 22, 2008 5:36 pm    Post subject: Re: should we worry? Reply with quote

Quote:

Hi guys, this question is probably stupid, but since there has been found a flaw in the kernel, I ve thinking of a lot of things related with the open source software.


I would not say "stupid", but it is certainly based on smoke. Vulnerabilities are discovered every day in the kernel and in many other pieces of software, just use glsa-check. This latest one is not different in any regard. I don't know why people are so worried about it. The difference, is that here they are discovered and fixed. While on some other OSes they are not, and that's why you don't see it (or maybe it is just because these other OSes are perfect, who knows? :mrgreen:).

pathfinder wrote:

Now, my question: how many users really have a look at the open code? I mean, how many users would be able to check if there s some hidden or subtile security breach?


Probably, every big enterprise using linux on their servers. There're lot os enterprises that makes security audits for the kernels and servers that they use. And there are quite a lot, don't forget apache, php, mysql, sendmail and many other. Particulars also do to some extent. In addition, there are literally hundreds of kernel hackers acting on their own, revising the code, and making custom patchsets: all of these read, change and understand the linux kernel code. By the way: the linux kernel devs are not gods nor separate entities. You can become one if you wish with enough dedication, and the whole process is open, and the kernel lists have an amazing amount of traffic. If you subscribe to them you will see what I mean, and you will see how ridiculous your theory is. I used to get around 300-500 mails a day on that list, and sometimes even more. So: no, you can never be 100%. But with a closed source OS you are actually 0% sure, because you can't look at the code at all.

So, I can't get your point at all. Even if the security is not 100%, it is far far more than you can get with any closed source product. So, what are you asking about?

Quote:
Would it be possible to drop in many progs some security flaws, then, sleeping killers, and when open source becomes the reference in terms of OS distribution in the world, would it be then factible to wake up those security flaws and create a HUGE mess?


Theoretically, and technically, it is also possible that someone called Darth Vader comes one day on a space ship with a light saber to visit us. Possibly... but I'd say it's higly improbable... well, maybe not the for the light saber part. It's much more probable that such a treat is hidden into a closed source system that is much much much more extended world-wide, can you see the logic? :lol:

Quote:
I know I m paranoid, and it sounds really freak. But what if that kernel mistake were intentiously done? This one and others, ready to operate, at some time or another?


This is the well-known argument in the philosophy of the last centuries. What if we are just the product of someone else's imagination? (Read "Sophia's world" from Jostein Gaarder or whatever it's called in English, just as an example). Well, if that's the case, there's no place for safety in this whole world, and as such, you shouldn't worry either, because we are already damned.

Quote:
Is there a hard security organism that checks every single line of code? Or is this totally impossible?
How many users never ever looked at a code? How many would be able to find a security flaw?...


By this same logic, there would be a need for another organism to control the control organism. That logic is flawed. It is precisely the fact that the security audits are not centralized, which guarantees that no one (unless s/he has god-like powers) can control it to his/her will.

I would just go on holidays and use windows for a while, then you will come back a lot more relaxed :lol:

EDIT. Take the whole post with a grain of salt. I wrote it in a semi-humoristic fashion :)
_________________
Gentoo Handbook | My website
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 5720
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Fri Feb 22, 2008 6:07 pm    Post subject: Reply with quote

Urban Cowboy wrote:
I don't think so. When flaws are discovered, they are reported and subsequently patched.

But yeah.. http://forums.gentoo.org/viewtopic-t-665573-highlight-.html is particularly f'd up.


that sounds REALLY scary 8O

@pathfinder:
your post honours your name ;)
I hope I don't read more of those otherwise I'll have to consider dividing my hdd up into 2 halves & backup my data on an ntfs-partition with windows :?

don't let the winblow$ fanboys know of that :lol:

... however ... I've lost more data in the past with windows than with linux (no offence !)
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.3.0-r2
2.6.37.2_plus_v1: BFS, CFS,THP,compaction, zcache or TOI
Hardcore Linux user since 2004 :D
Back to top
View user's profile Send private message
Sven Vermeulen
Developer
Developer


Joined: 29 Aug 2002
Posts: 1345
Location: Mechelen, Belgium

PostPosted: Fri Feb 22, 2008 9:15 pm    Post subject: Re: should we worry? Reply with quote

pathfinder wrote:

Would it be possible to drop in many progs some security flaws, then, sleeping killers, and when open source becomes the reference in terms of OS distribution in the world, would it be then factible to wake up those security flaws and create a HUGE mess?


I don't see why this is open source related. The same can be said by closed-source software, and it'll be much harder to find out.
_________________
Please add "[solved]" to the initial topic title when it is solved. TIA.
Linux Sea (PDF), an online e-book on Gentoo Linux
Back to top
View user's profile Send private message
NathanZachary
Moderator
Moderator


Joined: 30 Jan 2007
Posts: 2336
Location: /home/zach

PostPosted: Fri Feb 22, 2008 10:57 pm    Post subject: Reply with quote

As already mentioned, it is possible that ANY program can have data miners, callbacks, and other threats to security coded into them. However, it will be much more noticeable in open source software than in closed-source.
_________________
“Truth, like infinity, is to be forever approached but never reached.” --Jean Ayres (1972)
---avatar cropped from =AimanStudio---
Back to top
View user's profile Send private message
pathfinder
l33t
l33t


Joined: 19 Jan 2006
Posts: 731
Location: Barcelona, Spain

PostPosted: Sun Feb 24, 2008 2:08 pm    Post subject: Reply with quote

ok guys ok
wowowowowowow it s ok, it was stupid. No need to crucify me, I just asked... You answered. It s ok. I m really happy for your answers, but ok, sorry if I annoyed anyone. I ll ask dark vador to come and kill me before anyone else :D :D :D
you know, i felt stupid asking, i thenked the Chat thing for the posting... otherwise I would have never asked such a thing. But now, you know, I feel EVEN MORE Stupid than before. Fresh air. Wow. I ll go out for a while in my spaceship and try to find a place where no one remembers me :(
;-)
Back to top
View user's profile Send private message
NathanZachary
Moderator
Moderator


Joined: 30 Jan 2007
Posts: 2336
Location: /home/zach

PostPosted: Sun Feb 24, 2008 6:20 pm    Post subject: Reply with quote

pathfinder wrote:
ok guys ok
wowowowowowow it s ok, it was stupid. No need to crucify me, I just asked... You answered. It s ok. I m really happy for your answers, but ok, sorry if I annoyed anyone. I ll ask dark vador to come and kill me before anyone else :D :D :D
you know, i felt stupid asking, i thenked the Chat thing for the posting... otherwise I would have never asked such a thing. But now, you know, I feel EVEN MORE Stupid than before. Fresh air. Wow. I ll go out for a while in my spaceship and try to find a place where no one remembers me :(
;-)


I wasn't trying to make you feel stupid at all. I'm sorry if it came off that way; it wasn't a stupid question. :)
_________________
“Truth, like infinity, is to be forever approached but never reached.” --Jean Ayres (1972)
---avatar cropped from =AimanStudio---
Back to top
View user's profile Send private message
Voltago
Advocate
Advocate


Joined: 02 Sep 2003
Posts: 2550
Location: In the city of dreaming spires

PostPosted: Sun Feb 24, 2008 6:51 pm    Post subject: Re: should we worry? Reply with quote

Sven Vermeulen wrote:
I don't see why this is open source related. The same can be said by closed-source software, and it'll be much harder to find out.

I completely agree. From the comsumer perspective, the only thing that is better for closed source software when some big screw-up happens is that you've got a support hotline number where you can call and scream your head off for $0.99/minute.

So the bottom line here is IMO: Yes, we should worry. But so should everybody else... ;)


Last edited by Voltago on Sun Feb 24, 2008 11:43 pm; edited 1 time in total
Back to top
View user's profile Send private message
jcat
Veteran
Veteran


Joined: 26 May 2006
Posts: 1337

PostPosted: Sun Feb 24, 2008 10:09 pm    Post subject: Reply with quote

Sounds like all the issues referenced in the top post are hardware issues a one possible security breach of some kind (yet to be determined).

It seems clear to me that even the most "secure" and trustworthy OS can be insecure or broken in the wrong hands (unless you're just unlucky and discover a bug or security hole). *NIX is inherently more secure than Windows, even if only because the vast majority of viruses and Root Kits are written for windows! :) That's were most of the "hackers" market is.



Cheers,
jcat
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum